I want to do permission checking prior to making an EJB request. The goal here is to set up the GUI so that only the options that the user has access to can be displayed.
EJBContext provides getCallerPrincipal to get the user, and isCallerInRole to provide info on which roles the user can take on. But there is no obvious way to get to the method permissions - the last piece of the puzzle.
Securing web pages has a similar problem. You can define permissions to be required for url patterns in the web.xml, but there is no way in the API to ask what permissions are required for a particular URL. The guys at Sun indicated to me that was coming in a future version of the Servlet spec.